2 set -e -f ${DRY_RUN:+-n} -u
7 rule_help
() { # SYNTAX: [--hidden]
8 local hidden
; [ ${1:+set} ] || hidden
=set
11 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
12 _depuis_ la VM hébergée ($vm_fqdn) ;
13 il sert à la fois d'outil (aisément bidouillable)
14 et de documentation (préçise).
15 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
16 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
18 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
20 TRACE # affiche les commandes avant leur exécution
21 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
28 git config
--replace branch.master.remote .
29 git config
--replace branch.master.merge refs
/remotes
/master
35 git checkout
-f -B master remotes
/master
40 rule_apt_get_install
() { # SYNTAX: $package
41 case $
(dpkg
-s "$1" 2>/dev
/null |
grep '^Status: ') in
42 ("Status: install ok installed");;
44 test ! -x /usr
/bin
/etckeeper ||
45 ! sudo etckeeper unclean ||
46 warn
"/etc unclean: etckeeper may force you to \`etckeeper commit'; then you can run your $0 command again."
47 sudo apt-get
install "$@";;
51 rule__chrooted_configure
() { # NOTE: est-ce bien utile à un moment ?
57 rule_apt_configure
() {
58 sudo
install -m 660 -u root
-g root
/dev
/stdin
/etc
/apt
/sources.list
<<-EOF
59 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
61 sudo
install -m 660 -u root
-g root
/dev
/stdin
/etc
/apt
/$vm_lsb_name-backports.list
<<-EOF
62 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
64 sudo
install -m 660 -u root
-g root
/dev
/stdin
/etc
/apt
/preferences
<<-EOF
66 Pin: release a=$vm_lsb_name
70 Pin: release a=$vm_lsb_name-backports
73 sudo
install -m 660 -u root
-g root
/dev
/stdin
/etc
/apt
/sources.list.d
/openerp.list
<<-EOF
74 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
77 rule_apticron_configure
() {
78 rule apt_get_install apticron
79 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/apticron
/apticron.conf
<<-EOF
80 EMAIL="admin@$vm_domainname"
82 # LISTCHANGES_PROFILE="apticron"
84 # SYSTEM="foobar.example.com"
86 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
89 # NOTIFY_NO_UPDATES="0"
91 # CUSTOM_NO_UPDATES_SUBJECT=""
92 # CUSTOM_FROM="root@$vm_fqdn"
95 rule_boot_configure
() {
96 warn
"lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
97 rule apt_get_install grub-pc
98 sudo
install -d -m 644 -u root
-g root
/boot
/grub
99 rule apt_get_install linux-image-
$vm_arch
100 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/default
/grub
<<-EOF
103 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
104 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
105 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
106 GRUB_DISABLE_RECOVERY="true"
107 #GRUB_PRELOAD_MODULES="lvm"
109 sudo
install -m 644 -u root
-g root
/dev
/stdin
/boot
/grub
/device.map
<<-EOF
111 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
113 sudo update-grub2
# NOTE: prend en compte /boot/grub/device.map
114 rule initramfs_configure
116 rule_dovecot_configure
() {
117 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
118 local hint
="run vm_remote dovecot_key_send before"
119 assert
"test -f /etc/dovecot/$vm_domainname/imap/x509/key.pem" hint
120 sudo
install -m 400 -o root
-g root \
121 "$tool"/var
/pub
/x509
/service
/imap
/crt
+crl.self-signed.pem \
122 /etc
/dovecot
/$vm_domainname/imap
/x509
/crt
+crl.self-signed.pem
123 sudo
install -d -m 770 -o root
-g adm \
126 sudo
install -d -m 1777 -o root
-g root \
127 /var
/lib
/dovecot-control \
128 /var
/lib
/dovecot-index
129 sudo
install -m 664 -o root
-g root
/dev
/stdin
/etc
/dovecot
/local.conf
<<-EOF
130 auth_ssl_username_from_cert = yes
132 log_timestamp = "%Y-%m-%d %H:%M:%S "
134 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
135 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
136 # VOIR: http://wiki2.dovecot.org/Quota/FS
137 mail_plugins = \$mail_plugins quota
138 mail_privileged_group = mail
140 args = /home/%u/etc/dovecot/passwd
145 recipient_delimiter = +
146 sieve = ~/etc/mail/filter.sieve
147 sieve_dir = ~/etc/mail/sieve
148 sieve_global_dir = /var/lib/dovecot/sieve/global/
149 sieve_max_script_size = 1M
150 sieve_quota_max_scripts = 0
151 sieve_quota_max_storage = 10M
152 sieve_user_log = ~/var/log/mail/sieve.log
155 mail_plugins = \$mail_plugins imap_quota
158 auth_socket_path = /var/run/dovecot/auth-master
159 hostname = $vm_domainname
162 mail_plugins = \$mail_plugins sieve
163 postmaster_address = contact+dovecot+lda@$vm_domainname
164 syslog_facility = mail
166 protocols = imap sieve
169 unix_listener /var/spool/postfix/private/auth {
175 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
176 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
177 ssl_cipher_list = AES256-SHA
178 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
179 ssl_verify_client_cert = yes
185 sudo
install -m 755 -o root
-g root
/dev
/stdin
/usr
/local
/bin
/dovecot-passwd
<<-EOF
187 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
188 install -d -m 770 ~/etc/dovecot
189 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
190 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
193 sudo
install -m 664 -o root
-g root
/dev
/stdin
/etc
/postgrey
/whitelist_recipients.
local <<-EOF
195 sudo service dovecot restart
197 rule_etckeeper_configure
() {
198 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/etckeeper
/etckeeper.conf
<<-EOF
200 GIT_COMMIT_OPTIONS=""
201 AVOID_DAILY_AUTOCOMMITS=1
202 #AVOID_SPECIAL_FILE_WARNING=1
203 AVOID_COMMIT_BEFORE_INSTALL=1
204 HIGHLEVEL_PACKAGE_MANAGER=apt
205 LOWLEVEL_PACKAGE_MANAGER=dpkg
207 rule apt_get_install etckeeper
209 rule_filesystem_configure
() {
210 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/fstab
<<-EOF
211 # <file system> <mount point> <type> <options> <dump> <pass>
212 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
213 proc /proc proc defaults 0 0
214 sysfs /sys sysfs defaults 0 0
215 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
216 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
217 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
218 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
219 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
220 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
222 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/crypttab
<<-EOF
223 # <target name> <source device> <key file> <options>
224 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
225 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
226 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
227 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
229 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/sysctl.d
/local-swap.conf
<<-EOF
230 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
231 vm.vfs_cache_pressure=50
234 rule_initramfs_configure
() {
235 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/initramfs-tools
/initramfs.conf
<<-EOF
242 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/modprobe.d
/xen-pv.conf
<<-EOF
244 alias scsi_hostadapter xenblk
246 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/modules
<<-EOF
252 # NOTE: pour Xen en mode HVM :
253 #modprobe xen-platform-pci
255 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/initramfs-tools
/modules
<<-EOF
257 sudo
sed -e '/^configure_networking /s/ &$//' \
258 -i /usr
/share
/initramfs-tools
/scripts
/init-premount
/dropbear
259 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
260 ssh-keygen
-F "init.$vm_fqdn" -f "$tool"/etc
/openssh
/known_hosts |
261 ( while IFS
= read -r line
262 do case $line in (*" RSA") return 0; break;; esac
266 /etc
/initramfs-tools
/etc
/dropbear
/dropbear_rsa_host_key \
267 /etc
/initramfs-tools
/etc
/dropbear
/dropbear_rsa_host_key.pub
268 sudo dropbearkey
-t rsa
-s 4096 -f \
269 /etc
/initramfs-tools
/etc
/dropbear
/dropbear_rsa_host_key
271 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
272 sudo
install -d -m 640 -u root
-g root \
273 /etc
/initramfs-tools
/root \
274 /etc
/initramfs-tools
/root
/.
ssh
276 while IFS
=: read -r group x x users
277 do while test -n "$users" && IFS
=, read -r user users
<<-EOF
280 do eval local home\
; home
="~$user"
281 cat "$home"/etc
/ssh
/authorized_keys
284 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/initramfs-tools
/root
/.ssh
/authorized_keys
286 /etc
/initramfs-tools
/root
/.ssh
/id_rsa.dropbear \
287 /etc
/initramfs-tools
/root
/.ssh
/id_rsa.pub \
288 /etc
/initramfs-tools
/root
/.ssh
/id_rsa
289 # NOTE: clefs générées par Debian
290 sudo update-initramfs
-u
292 rule_locale_configure
() {
293 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/locale.gen
<<-EOF
298 rule_login_configure
() {
299 grep -q '^hvc0$' /etc
/securetty ||
300 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/securetty
<<-EOF
301 $(cat /etc/securetty)
304 grep -q '^xvc0$' /etc
/securetty ||
305 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/securetty
<<-EOF
306 $(cat /etc/securetty)
309 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/inittab
<<-EOF
310 # /etc/inittab: init(8) configuration.
312 # The default runlevel.
315 # Boot-time system configuration/initialization script.
316 # This is run first except when booting in emergency (-b) mode.
317 si::sysinit:/etc/init.d/rcS
319 # What to do in single-user mode.
320 ~~:S:wait:/sbin/sulogin
322 # /etc/init.d executes the S and K scripts upon change
325 # Runlevel 0 is halt.
326 # Runlevel 1 is single-user.
327 # Runlevels 2-5 are multi-user.
328 # Runlevel 6 is reboot.
330 l0:0:wait:/etc/init.d/rc 0
331 l1:1:wait:/etc/init.d/rc 1
332 l2:2:wait:/etc/init.d/rc 2
333 l3:3:wait:/etc/init.d/rc 3
334 l4:4:wait:/etc/init.d/rc 4
335 l5:5:wait:/etc/init.d/rc 5
336 l6:6:wait:/etc/init.d/rc 6
337 # Normally not reached, but fallthrough in case of emergency.
338 z6:6:respawn:/sbin/sulogin
340 # What to do when CTRL-ALT-DEL is pressed.
341 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
343 # What to do when the power fails/returns.
344 pf::powerwait:/etc/init.d/powerfail start
345 pn::powerfailnow:/etc/init.d/powerfail now
346 po::powerokwait:/etc/init.d/powerfail stop
348 # Xen hypervisor console
349 hvc:2345:respawn:/sbin/getty 38400 hvc0
350 #xvc:2345:respawn:/sbin/getty 38400 xvc0
352 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/login.defs
<<-EOF
359 FTMP_FILE /var/log/btmp
361 HUSHLOGIN_FILE .hushlogin
362 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
363 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
364 # NOTE: met les sbin/ dans ENV_PATH ;
365 # - ça n'apporte aucune protection de ne pas les mettre ;
366 # - ça frustre de ne pas les trouver.
373 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
374 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
387 ENCRYPT_METHOD SHA512
389 grep -q '^session optional pam_umask.so\>' /etc
/pam.d
/common-session ||
390 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/pam.d
/common-session
<<-EOF
391 $(cat /etc/pam.d/common-session)
392 session optional pam_umask.so
395 rule_procmail_configure
() {
396 rule apt_get_install procmail
397 sudo
install -d -m 770 -o root
-g adm \
399 /etc
/skel
/var
/cache
/mail \
400 /etc
/skel
/var
/log
/mail \
402 sudo
install -m 660 -o root
-g adm \
403 "$tool"/etc
/skel
/etc
/mail
/delivery.procmailrc \
404 /etc
/skel
/etc
/mail
/delivery.procmailrc
406 rule_postgrey_configure
() {
407 rule apt_get_install postgrey
408 sudo service postgrey restart
410 rule_postfix_configure
() {
411 local hint
="run vm_remote postfix_key_send before"
412 assert
"test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
413 warn
"lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
414 rule apt_get_install postfix
415 sudo
install -d -m 770 -o root
-g root \
416 /etc
/postfix
/$vm_domainname/ \
417 /etc
/postfix
/$vm_domainname/smtp \
418 /etc
/postfix
/$vm_domainname/smtp
/x509 \
419 /etc
/postfix
/$vm_domainname/smtp
/x509
/ca \
420 /etc
/postfix
/$vm_domainname/smtpd \
421 /etc
/postfix
/$vm_domainname/smtpd
/x509 \
422 /etc
/postfix
/$vm_domainname/smtpd
/x509
/ca
423 sudo
install -d -m 770 -o root
-g root \
424 /etc
/postfix
/$vm_domainname/ \
425 /etc
/postfix
/$vm_domainname/smtp \
426 /etc
/postfix
/$vm_domainname/smtp
/x509 \
427 /etc
/postfix
/$vm_domainname/smtp
/x509
/ca \
428 /etc
/postfix
/$vm_domainname/smtpd \
429 /etc
/postfix
/$vm_domainname/smtpd
/x509 \
430 /etc
/postfix
/$vm_domainname/smtpd
/x509
/ca
432 ..
/crt
+crl.self-signed.pem \
433 /etc
/postfix
/$vm_domainname/smtpd
/x509
/ca
/crt.pem
434 sudo
install -m 400 -o root
-g root \
435 var
/pub
/x509
/service
/smtpd
/crt
+crl.self-signed.pem \
436 /etc
/postfix
/$vm_domainname/smtpd
/x509
/crt
+crl.self-signed.pem
437 sudo
install -m 400 -o root
-g root \
438 var
/pub
/x509
/service
/smtpd
/crt.pem \
439 /etc
/postfix
/$vm_domainname/smtpd
/x509
/crt.pem
440 sudo
install -m 400 -o root
-g root \
441 var
/pub
/x509
/service
/smtpd
/crt
+root.pem \
442 /etc
/postfix
/$vm_domainname/smtpd
/x509
/crt
+root.pem
443 sudo
install -m 400 -o root
-g root \
444 var
/pub
/x509
/service
/smtpd
/crt
+crl.self-signed.pem \
445 /etc
/postfix
/$vm_domainname/smtpd
/x509
/crt
+crl.self-signed.pem
446 sudo
install -m 660 -o root
-g root \
447 etc
/postfix
/$vm_domainname/header_checks \
448 /etc
/postfix
/$vm_domainname/header_checks
449 sudo
install -m 664 -o root
-g root \
453 cat /dev
/stdin etc
/postfix
/main.cf
<<-EOF |
454 mydomain = $vm_domainname
455 myorigin = \$mydomain
456 myhostname = $vm_hostname.\$mydomain
457 mail_name = \$myhostname
458 mydestination = $vm_hostname \$myhostname \$myorigin
460 sudo
install -m 664 -o root
-g root
/dev
/stdin \
462 sudo
install -m 664 -o root
-g root \
463 etc
/postfix
/master.cf \
464 /etc
/postfix
/master.cf
465 sudo
install -m 660 -o root
-g root \
466 etc
/postfix
/$vm_domainname/smtp
/x509
/policy \
467 /etc
/postfix
/$vm_domainname/smtp
/x509
/policy
468 sudo postmap
hash:/etc
/postfix
/$vm_domainname/smtp
/x509
/policy
469 sudo
install -m 660 -o root
-g root \
470 etc
/postfix
/$vm_domainname/smtp
/header_checks \
471 /etc
/postfix
/$vm_domainname/smtp
/header_checks
472 sudo
install -m 660 -o root
-g root \
473 etc
/postfix
/$vm_domainname/smtpd
/sender_access \
474 /etc
/postfix
/$vm_domainname/smtpd
/sender_access
475 sudo postmap
hash:/etc
/postfix
/$vm_domainname/smtpd
/sender_access
476 sudo
install -m 660 -o root
-g root \
477 etc
/postfix
/$vm_domainname/smtpd
/client_blacklist \
478 /etc
/postfix
/$vm_domainname/smtpd
/client_blacklist
479 sudo postmap
hash:/etc
/postfix
/$vm_domainname/smtpd
/client_blacklist
480 sudo
install -m 660 -o root
-g root \
481 etc
/postfix
/$vm_domainname/smtpd
/relay_clientcerts \
482 /etc
/postfix
/$vm_domainname/smtpd
/relay_clientcerts
483 sudo postmap
hash:/etc
/postfix
/$vm_domainname/smtpd
/relay_clientcerts
484 sudo
install -m 660 -o root
-g root \
485 etc
/postfix
/$vm_domainname/transport \
486 /etc
/postfix
/$vm_domainname/transport
487 sudo postmap
hash:/etc
/postfix
/$vm_domainname/transport
488 sudo
install -m 660 -o root
-g root \
489 etc
/postfix
/$vm_domainname/virtual_alias \
490 /etc
/postfix
/$vm_domainname/virtual_alias
491 sudo postmap
hash:/etc
/postfix
/$vm_domainname/virtual_alias
492 sudo service postfix restart
494 rule_mail_configure
() {
495 rule postfix_configure
496 rule postgrey_configure
497 rule procmail_configure
498 rule dovecot_configure
500 rule_network_configure
() {
501 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/hostname
<<-EOF
504 grep -q " $vm\$" /etc
/hosts ||
505 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/hosts
<<-EOF
507 127.0.0.1 $vm_fqdn $vm
509 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/network
/interfaces
<<-EOF
511 iface lo inet loopback
514 iface grenode inet static
516 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
519 netmask 255.255.255.255
521 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
522 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
524 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
525 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
526 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
528 # --- soupirail.grenode.net ping statistics ---
529 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
530 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
531 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
532 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
533 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
535 # --- soupirail.grenode.net ping statistics ---
536 # 0 packets transmitted, 0 received, +1 errors
537 post-up ip address add $vm_ipv4/32 dev \$IFACE
538 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
541 rule_user_configure
() {
542 sudo
install -d -m 750 -u root
-g adm \
545 sudo
install -d -m 770 -u root
-g adm \
546 /etc
/skel
/etc
/apache2 \
549 /etc
/skel
/var
/cache \
550 /etc
/skel
/var
/cache
/ssh
551 sudo
ln -fns etc
/ssh /etc
/skel
/.
ssh
552 sudo
ln -fns etc
/gpg
/etc
/skel
/.gnupg
553 ssh-keygen
-F "$vm_fqdn" -f "$tool"/etc
/openssh
/known_hosts |
554 ( while IFS
= read -r line
555 do case $line in (*" RSA") return 0; break;; esac
557 sudo ssh-keygen
-t rsa
-b 4096 -N '' -f /etc
/ssh
/ssh_host_rsa_key
559 /etc
/ssh
/ssh_host_dsa_key \
560 /etc
/ssh
/ssh_host_dsa_key.pub \
561 /etc
/ssh
/ssh_host_ecdsa_key \
562 /etc
/ssh
/ssh_host_ecdsa_key.pub
563 # NOTE: clefs générées par Debian
564 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/ssh
/sshd_config
<<-EOF
566 ListenAddress $vm_ipv4
570 HostKey /etc/ssh/ssh_host_rsa_key
571 UsePrivilegeSeparation yes
572 KeyRegenerationInterval 3600
579 RSAAuthentication yes
580 PubkeyAuthentication yes
581 AuthorizedKeysFile %h/etc/ssh/authorized_keys
583 RhostsRSAAuthentication no
584 HostbasedAuthentication no
585 IgnoreUserKnownHosts no
586 PermitEmptyPasswords no
587 ChallengeResponseAuthentication no
588 PasswordAuthentication no
589 KerberosAuthentication no
590 GSSAPIAuthentication no
597 ClientAliveInterval 0
599 Subsystem sftp /usr/lib/openssh/sftp-server
602 sudo service
ssh restart
604 rule_user_admin_add
() { # SYNTAX: $user
606 id
"$user" >/dev
/null ||
607 sudo adduser
--disabled-password "$user"
608 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
609 eval local home\
; home
="~$user"
610 sudo adduser
"$user" sudo
611 sudo
install -m 640 -o root
-g root \
612 "$tool"/var
/pub
/ssh
/"$user".key \
613 "$home"/etc
/ssh
/authorized_keys
614 local key
; local -; set +f
615 for key
in "$tool"/var
/pub
/openpgp
/*.key
616 do sudo
-u "$user" gpg
--import "$key"
618 rule user_admin_configure
620 rule_user_admin_configure
() {
621 rule initramfs_configure
622 rule user_root_configure
624 rule_user_configure
() {
625 sudo
install -d -m 750 -o root
-g adm \
628 sudo
install -d -m 770 -o root
-g adm \
629 /etc
/skel
/etc
/apache2 \
632 /etc
/skel
/var
/cache \
633 /etc
/skel
/var
/cache
/ssh
634 sudo
ln -fns etc
/ssh /etc
/skel
/.
ssh
635 sudo
ln -fns etc
/gpg
/etc
/skel
/.gnupg
636 sudo
install -m 640 -o root
-g root
/dev
/stdin
/etc
/sudoers.d
/passwd-init
<<-EOF
637 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
638 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
639 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
641 sudo
install -m 640 -u root
-g root
/dev
/stdin
/etc
/sudoers.d
/etckeeper-unclean
<<-EOF
642 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
644 sudo
install -m 640 -u root
-g root
/dev
/stdin
/etc
/sudoers.d
/env_keep
<<-EOF
645 Defaults env_keep = " \\
649 GIT_COMMITTER_NAME \\
650 GIT_COMMITTER_EMAIL \\
653 sudo
install -m 755 -o root
-g root
/dev
/stdin
/usr
/local
/bin
/passwd-init
<<-EOF
655 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
656 sudo /bin/sh -e -f -u -c \
657 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
660 rule_user_root_configure
() {
661 sudo
install -d -m 750 -u root
-g adm \
665 sudo
ln -fns etc
/gpg
/root
/.gnupg
666 sudo
ln -fns etc
/ssh /root
/.
ssh
668 while IFS
=: read -r group x x users
669 do while test -n "$users" && IFS
=, read -r user users
<<-EOF
672 do eval local home\
; home
="~$user"
673 cat "$home"/etc
/ssh
/authorized_keys
676 sudo
install -m 640 -u root
-g root
/dev
/stdin
/root
/etc
/ssh
/authorized_keys
677 local key
; local -; set +f
678 for key
in "$tool"/var
/pub
/openpgp
/*.key
679 do sudo gpg
--import "$key"
682 rule_bin_configure
() {
683 sudo
ln -fns "$tool"/vm_hosted
/usr
/local
/sbin
/
686 rule etckeeper_configure
687 rule locale_configure
688 rule network_configure
690 rule filesystem_configure
692 rule user_root_configure
694 rule apticron_configure
698 rule_luks_key_change
() {
699 sudo cryptsetup luksChangeKey
/dev
/$vm_lvm_vg/${vm_lvm_lv}_root
707 assert
'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn